[60307] in North American Network Operators' Group
Re: WANTED: ISPs with DDoS defense solutions
daemon@ATHENA.MIT.EDU (Michael.Dillon@radianz.com)
Wed Aug 6 05:16:48 2003
To: nanog@merit.edu
From: Michael.Dillon@radianz.com
Date: Wed, 6 Aug 2003 10:15:18 +0100
Errors-To: owner-nanog-outgoing@merit.edu
>> How would the spoofing program, or its user, be able to tell if
>> it was successful? Unless I'm very confused, the definition of
>> spoofing is that the return packets aren't going to come back to you.
>the whole thing would have to take place during a tcp control session
>which used d-h to scramble itself, sort of the same way ssh does.
Diffie-Hellmann is a bit overkill.
It's simpler to have the client open a TCP connection to the server,
retrieve a token which is just some reasonable number of random bits like
64, then send the token back in a set of UDP packets using spoofed
addresses, then pause for a second or two and ask the server (through the
TCP connection) whether it saw the spoofed packets. Three UDP packets
should be enough to eliminate most packet loss scenarios and the spoofed
address could be chosen by munging the first octet to a number from 44 to
54.
That's enough for the server to collect stats and to provide a status
report to the client.
If the client is behind a NAT, and the spoofed source address doesn't get
through, then that's OK because it means that no application in that same
location behind the NAT can use spoofed addresses.
--Michael Dillon
